README.md

Ruby Advisory Database

The Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.

You can check your own Gemfile.locks against this database by using bundler-audit.

Support Ruby security!

Do you know about a vulnerability that isn't listed in this database? Open an issue, submit a PR, or use this form which will email the maintainers.

Directory Structure

The database is a list of directories that match the names of Ruby libraries on
rubygems.org. Within each directory are one or more advisory files
for the Ruby library. These advisory files are named using
the advisories' CVE identifier number.

Tests

Prior to submitting a pull request, run the tests:

bundle install
bundle exec rspec

GitHub Advisory Sync

There is a script that will create initial yaml files for RubyGem advisories which
are in the GitHub Security Advisory API,
but are not already in this dataset. This script can be periodically run to ensure
this repo has all the data that is present in the GitHub Advisory data.

The GitHub Advisory API requires a token to access it.

It can be a completely scopeless token (recommended); it does not require any permissions at all.

Fill in cvss_v3 field by following the CVE link and getting it from page

Fill in patched_versions field, using the comments at the bottom of the file

Fill in unaffected_versions, optional, if there are unaffected_versions

delete the GitHub data at the bottom of the yaml file

double check all the data, commit it, and make a PR

The GitHub Advisory data is structured opposite of RubySec unfortunately:
GitHub identifies version range which are vulnerable; RubySec identifies
version ranges which are not vulnerable. This is why some manual
work to translate is needed.